Facebook privacy audit by auditors finds everything is awesome!

FTC's heavily redacted report says everything's hunky dory

The US Federal Trade Commission has released an audit of Facebook's privacy practices and it turns out there's nothing to worry about, at least as far as accounting firm PricewaterhouseCoopers (PwC) is concerned.

PwC, retained to check on how Facebook has been complying with its 2011 FTC consent decree for deceiving consumers, believes the social ad network – the same one recently pilloried by US lawmakers for allowing profile data to be spirited away to data firm Cambridge Analytica – has been doing a bang-up job.

Facebook puts 1.5bn users on a boat from Ireland to California

In response to an inquiry by the Electronic Privacy Information Center (EPIC), an advocacy group, the FTC recently published a heavily redacted version of the confidential audit on its website.

"In our opinion, Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information [for the two-year period between February 12, 2015 and February 11, 2017]," PwC's audit concludes.

Problem solved. But the redacted portions of the report make it difficult to understand how that conclusion was reached.

Er, does that sound accurate to you?

Marc Rotenberg, executive director of EPIC, one of the privacy groups responsible for the 2011 consent order that bound Facebook to biennial privacy reviews for 20 years, called the audit remarkable and not in a good way.

"Something is clearly off the rails," said Rotenberg in a phone interview with The Register. "In 2017, according to PwC, Facebook was doing a great job with privacy compliance. But that was two years after Cambridge Analytica had begun harvesting the data of Facebook users."

EPIC on Friday filed a lawsuit under the Freedom of Information Act (FOIA) to obtain the unreacted version of the audit, in the hope of understanding more about Facebook's privacy safeguards and whether it has breached the terms of the consent decree.

"The question is, after the FTC consent order, why do these problems continue to occur?" said Rotenberg. "That's what the FOIA is for."

The FTC, he said, made repeated use of the trade secret exemption as a justification for withholding information that Facebook does not want revealed. He found that ironic, he said, for a company that wants its users to share all their information.

It's troubling, he said, that the FTC seems unwilling to bring any legal action against either Facebook or Google to enforce privacy settlements.

Were Facebook to be found in breach of its agreement, the fines reportedly could reach $41,484 per violation per user per day. That could translate into billions if the violations applied to the more than 200 million US Facebook users over the course of a year or more.

Rotenberg was reluctant to speculate about why the FTC appeared to be so incapable of action. He chalked it up to "lack of political will." ®